In the world of regulatory compliance, it’s often the unsaid expectations that separate responsible operators from those who stumble into scandal. Nowhere is this more apparent than in the requirements around recording safety concerns, adverse events, complaints, and improvements across consumer products. The regulations, like the UK General Product Safety Regulations (GPSR) and the EU’s General Product Safety Regulation (2023/988), may not spell everything out, but they imply a hell of a lot. And if you’re not picking up what the regulators are putting down between the lines, you’re exposing your business and your consumers to serious risk.
This article explores the subtle but critical expectations around systemised safety tracking, linguistic coverage, scale-responsiveness, and what it really means to fulfil your regulatory duty.
1. The Unspoken Rule: You Need a System
The GPSR and its EU counterparts don’t contain a line that says: “Thou shalt have a fully functional digital system that logs adverse events in 20+ languages with 99.9% uptime.”
But here’s the truth: you’re still expected to have something close to it.
What they do say is that businesses must take measures “proportionate to the characteristics of the product” and the risks it may pose. They require that producers and distributors:
- Monitor consumer complaints
- Keep records of product risks and incidents
- Collaborate with enforcement authorities
- Take appropriate corrective actions
That might sound vague, but it’s not a loophole. It’s a mandate to use judgment. And that judgment will be assessed after something goes wrong.
2. Scale Matters – So Should Your System
Let’s say you’re pushing 30 million in revenue. Maybe 50. Or maybe you’re selling 10 million units a month across multiple countries. You’re no longer a back-bedroom brand. So if your incident tracking process still relies on an Excel sheet and a catch-all “info@” email address, you’ve already lost the argument.
Why Scale Amplifies Risk:
- A batch failure of just 10% at 10 million units means 1 million safety concerns.
- Those complaints might come in 10+ different languages.
- They might hit multiple channels: email, social media, distributors, and call centres.
- A spreadsheet simply can’t handle that complexity, and regulators know it.
Regulators don’t expect startups to build enterprise-grade infrastructure overnight. But if you’re turning over 8 figures and operating in 12 markets, they absolutely expect more than a Google Form.
3. Local language Isn’t Optional, It’s Assumed
Many brands assume that if they’re compliant in English, they’re compliant everywhere.
Wrong.
Why Local-Language Support Is a Hidden Requirement:
- Consumer understanding: If a user in France encounters a safety concern and can’t report it in French, that’s not a functioning complaint system. It’s a blocker.
- Regulatory inspections: Authorities expect you to show logs and documentation relevant to their jurisdiction, in their language.
- Evidence of due diligence: A single misfiled incident, unrecorded because “nobody could read the Spanish email,” could be seen as negligence.
There’s no clause that demands “multi-language ticketing systems.” But the logic is clear: if your consumer base is multilingual, your safety response needs to be too.
4. Complaint Volume ≠ Complaint Management
Many brands confuse receiving complaints with managing them.
Here’s what actual safety concern management requires:
- Automated intake from web forms, emails, distributors, and social platforms
- Tagging and triage: Is it a misuse case, a defect, or a systemic risk?
- Escalation rules: When does a report trigger batch testing, a CAPA, or a recall?
- Time-stamped logs that can be shown to regulators on demand
- Case closure protocols with documented outcomes
Your system needs to handle quantity, quality, and accountability. Otherwise, you’re just accumulating risk.
5. It’s Not Just a System, It’s a Risk Control Measure
This isn’t IT procurement. This is compliance-by-design.
A proper incident management system:
- Reduces time to identify trends
- Flags systemic manufacturing faults
- Minimises harm through early intervention
- Strengthens your defence in case of litigation or recall
If you get investigated by an enforcement body, say, after a product causes injury or worse, they will ask: “What risk analysis did you do?”
If your answer is, “Well, we kinda looked at the emails coming in,” that’s not a defence. That’s a confession.
6. What Enforcement Bodies Expect to See
They might not say it in public documents, but here’s what we know from experience:
- Full lifecycle traceability of every concern raised
- A single source of truth (not scattered emails)
- Structured data that allows pattern analysis
- Response timelines that show urgency and resolution
- A process that aligns with your size and market reach
The bigger you are, the bigger the expectation.
7. Common Excuses and Why They Don’t Work
Let’s tackle some of the favourites:
“The regulation doesn’t say we need software.”
No, but it requires proportional action. For an 8-figure company, manual tracking isn’t proportional.
“We haven’t had any serious incidents yet.”
That’s luck, not compliance. Risk management is about preparation, not reaction.
“We can’t afford a big system.”
If you can afford international sales, you can afford incident tracking. SaaS tools exist at every price point.
“We only sell through distributors, they handle complaints.”
Your brand is still on the label. Liability doesn’t disappear because someone else sold it.
8. Real-World Scenarios That Catch Brands Out
- A consumer in Italy emails to report a burn injury. The email goes to spam. There’s no tracking system. Three months later, a second consumer reports the same issue. Still no system. By the time authorities catch wind, it’s too late, and your lack of a scalable, multilingual reporting process becomes the story.
- You identify a batch issue affecting 400,000 units in Germany and Spain. You post a vague notice on your website. But without structured logging, there’s no way to identify how many complaints relate to that specific batch, whether the risk is escalating, or how many customers are still affected. That’s not compliance, it’s crisis mismanagement.
9. The Legal Grey Is Where Risk Lives
Regulators are getting smarter. They know that not every rule can be written. So instead, they look at your intent, your systems, and your records.
You are expected to read between the lines:
- If you’re big, act big.
- If you’re cross-border, act multi-lingual.
- If you care about consumers, prove it with data, not just marketing.
10. The Compliance Culture Shift
This isn’t just about software, it’s about mindset.
A compliance-forward brand doesn’t ask, “What’s the minimum we can get away with?” It asks:
- “What do our systems say about how seriously we take safety?”
- “If something went wrong, could we defend our actions in a courtroom or a tabloid?”
- “Are we using safety data to improve our product and our reputation?”
Compliance isn’t red tape. It’s brand protection. It’s consumer protection. And it’s the hard edge of trust in competitive markets.
Conclusion: Compliance Beyond the Letters of the Law
If there’s one takeaway from the GPSR and other safety frameworks, it’s this:
The absence of explicit instructions is not a license for ignorance.
You’re expected to build systems that match your footprint, your risk profile, and your consumer base. That means multilingual intake, scalable tracking, smart triage, and proof of action.
Failing to do that might not get you caught today. But when something does go wrong, and it will, it won’t be the incident that takes you down.
It’ll be your lack of systems.
If you are struggling to get a grip on your regulatory requirements, why not use our free compliance assessment tool – ARC Methodology and benchmark your status? We’ll create a free 25+ report based on your answers, which will highlight your weaknesses and provide a roadmap for improvement.